Discuss this help topic in SecureBlackbox Forum

Validate Authenticode

SecureBlackbox offers a component, TElAuthenticodeManager, for validating signatures made over executable (.exe and .dll) files. Typical validation procedure consists of the following steps:

1. Create a TElAuthenticodeManager object: TElAuthenticodeManager manager = new TElAuthenticodeManager();
2. Open your executable: bool signed = manager.Open(@"C:\bin\program.exe"); Open() returns true if the file is signed (i.e. contains at least one Authenticode signature), and false otherwise. If the file cannot be opened or an error occured while parsing the authenticode block, an exception is thrown containing one of the error codes.
3. Browse the signatures contained in the opened file (if any) using the Signatures[] property (get_Signatures() method on some platforms). It contains a list of TElAuthenticodeSignature objects, one for each signature available in the file. Use the objects' properties to obtain the details of the signatures.

   
   for (int i = 0; i < manager.SignatureCount; i++)
   {
       TElAuthenticodeSignature signature = manager.get_Signatures(i);
   
       Console.WriteLine("Signature #{0}: {1} (url: {2})", signature.Index, signature.Description, signature.URL);
   
       Console.WriteLine("Signer: " + (signature.SigningCertificate == null) ? "UNKNOWN" : signature.SigningCertificate.SubjectName.CommonName);
   
       if (signature.Timestamp != null)
       {
           if (signature.Timestamp.TimestampType == TSBAuthenticodeTimestampType.actTrusted)
               Console.WriteLine("RFC3161 timestamp detected: " + signature.Timestamp.SigningTime.ToLongDateString());
           else
               Console.WriteLine("Legacy timestamp detected: " + signature.Timestamp.SigningTime.ToLongDateString());
       }
   
       if (signature.Validity == TSBAuthenticodeValidity.acvValid)
           Console.WriteLine("Signature is valid");
       else
           Console.WriteLine("Verification failed, error " + signature.Validity.ToString());
   }
   

Browse the embedded certificates (typically representing the signing certificate chain) using the Certificates property:

for (int j = 0; j < signature.Certificates.Count; j++)
{
    TElX509Certificate certificate = signature.Certificates.get_Certificates(0);
    Console.WriteLine("Certificate #{0}: {1}", j, certificate.SubjectRDN.SaveToDNString());
}

Note that TElAuthenticodeManager only verifies the signatures itself, and does not perform certificate chain validation. This way, you would need to validate the chain yourself using TElX509CertificateValidator as described here.

How To articles related to MS Authenticode

Discuss this help topic in SecureBlackbox Forum